Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Authentication Sources and Access

Authentication Sources and Access

In Authentication Sources and Access, you can control network access for different users and devices in your network. FortiSASE authentication controls system access by user group. By assigning individual users to the appropriate user groups, you can control each user’s access to network resources. You can define local users and remote users in FortiSASE. You can also integrate user accounts on remote authentication servers and connect them to FortiSASE.

The following summarizes the provisioning process for different user types on FortiSASE:

User type

Provisioning process

LDAP

Configure remote users over LDAP to easily integrate FortiSASE with a Windows Active Directory (AD) server or another LDAP server. You can invite users in one of the following ways:

  • Define an individual user and send the invitation to them directly
  • Create a user group and send the invitation using the Onboard Users button

See Configuring FortiSASE with an LDAP server for remote user authentication in FortiClient agent-based mode.

See Configuring FortiSASE with an LDAP server for remote user authentication in SWG agentless mode.

RADIUS

Configure remote authentication with a RADIUS server. You can allow all users from the IdP or define a group in Configuration > Users. Send the invitation code to users using the Onboard Users button. See Configuring FortiSASE with a RADIUS server for remote user authentication.

Single sign on (SSO)

Configure an SSO connection with an authentication server such as Entra ID or Okta, where Entra ID or Okta is the identity provider (IdP) and FortiSASE is the service provider (SP). You can allow all users from the IdP or define a group in Configuration > Users. Send the invitation code to users using the Onboard Users button. See:

Local

Define user in Configuration > Users and send invitation to them directly. See Users.
Note

FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.

Implicit and split DNS rules for VPN traffic configured with internal IP addresses work with SPA hubs configured with any BGP routing design.

When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes.

See Network restrictions removed.
Note

The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

The Onboard Users button, which is available from the Remote User Management widget on the Status dashboard, allows you to send an email to users to invite them to FortiSASE. They can register their FortiClient to FortiClient Cloud by using the instructions in the invitation email. You must still provision users via one of the aforementioned methods to give them access to VPN and other FortiSASE resources.

Previous
Next

Authentication Sources and Access

In Authentication Sources and Access, you can control network access for different users and devices in your network. FortiSASE authentication controls system access by user group. By assigning individual users to the appropriate user groups, you can control each user’s access to network resources. You can define local users and remote users in FortiSASE. You can also integrate user accounts on remote authentication servers and connect them to FortiSASE.

The following summarizes the provisioning process for different user types on FortiSASE:

User type

Provisioning process

LDAP

Configure remote users over LDAP to easily integrate FortiSASE with a Windows Active Directory (AD) server or another LDAP server. You can invite users in one of the following ways:

  • Define an individual user and send the invitation to them directly
  • Create a user group and send the invitation using the Onboard Users button

See Configuring FortiSASE with an LDAP server for remote user authentication in FortiClient agent-based mode.

See Configuring FortiSASE with an LDAP server for remote user authentication in SWG agentless mode.

RADIUS

Configure remote authentication with a RADIUS server. You can allow all users from the IdP or define a group in Configuration > Users. Send the invitation code to users using the Onboard Users button. See Configuring FortiSASE with a RADIUS server for remote user authentication.

Single sign on (SSO)

Configure an SSO connection with an authentication server such as Entra ID or Okta, where Entra ID or Okta is the identity provider (IdP) and FortiSASE is the service provider (SP). You can allow all users from the IdP or define a group in Configuration > Users. Send the invitation code to users using the Onboard Users button. See:

Local

Define user in Configuration > Users and send invitation to them directly. See Users.
Note

FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.

Implicit and split DNS rules for VPN traffic configured with internal IP addresses work with SPA hubs configured with any BGP routing design.

When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes.

See Network restrictions removed.
Note

The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

The Onboard Users button, which is available from the Remote User Management widget on the Status dashboard, allows you to send an email to users to invite them to FortiSASE. They can register their FortiClient to FortiClient Cloud by using the instructions in the invitation email. You must still provision users via one of the aforementioned methods to give them access to VPN and other FortiSASE resources.

Previous
Next